Possible shopDisney Security Breach May Have Exposed Your Personal Information to Other Shoppers During Star Wars Day Merchandise Release

It’s no secret that all of the recent merchandise releases on shopDisney have had serious problems. From the Minnie Mouse: The Main Attraction release, where some shoppers were improperly charged many hundreds of dollars with multiple charges on their cards after placing a single order, to the Joe Rohde Ear Hat fiasco where the coveted set of ears sold out in seconds thanks to bots scooping up all the inventory before you and I even had a chance, buying Disney merchandise has never been more difficult or more frustrating. And now it has become downright dangerous.

Most people would expect that a global conglomerate that’s also one of the world’s most well-known and trusted brands would be able to competently run an online store. Unfortunately, this is not the case. shopDisney.com is not only one of the most frustrating sites to shop online, but now it seems that some sort of security glitch may have revealed your personal information to other shoppers.

On May 2nd, shopDisney announced that they were implementing a “virtual waiting room” for the release of the Star Wars Day merchandise on May 4th. As a tacit acknowledgement of the issues with the recent releases, Disney clearly knows there is a serious problem with the site, and we hoped they had finally figured out a way to make these merchandise releases something other than an exercise in frustration.

Alas, it was not to be. The site immediately crashed at 10:00 AM EDT when the merchandise was set to be released. Numerous shoppers took to Twitter and the comments section of our post to once again express frustration with the “virtual waiting room” that didn’t really appear to solve anything. Frustrated shoppers (including myself) were not enjoying the virtual waiting room, but instead were faced with a white screen simply saying “Oops… Something went wrong” or merchandise that was instantly sold out.

It was so bad that shopDisney was forced to tweet an acknowledgement of the issue almost two hours after the merchandise was released. Over 1,200 replies to this tweet show the level of frustration of loyal Disney fans.

Although the “technical issues” were certainly frustrating, a much more insidious and alarming problem seems to have cropped up this time: a security glitch that may have exposed your account information to other shoppers.

Instead of the typical “Hi Jason!” that usually greets me, shopDisney had instead logged me into the account of someone named… Chris.

Of course, once you are logged in, you can click to see account information, change passwords, add addresses or payment methods, etc. I did not click through to see any of Chris’s personal information, but I did take this screenshot.

While Disney has ignored thousands of complaints on social media about these failed merchandise releases, a security breach that exposes personal information is on a different level altogether. shopDisney needs a serious overhaul, and it needs it now.

0 0 vote
Article Rating
14 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Tim Leonard
Tim Leonard
4 months ago

I would rephrase this article, while I totally agree ShopDisney is a POS, you should probably see if other people have had the issue and properly vet your information through security sites that monitor for company breaches. I work in IT Security and what you described, while interesting and curious, isn’t a “slam dunk” it was indeed a security breach. This article seems more clickbait than anything.

Tom Corless
Admin
4 months ago
Reply to  Tim Leonard

Several people posted the same thing, as we mentioned in the piece.

Maggie
Maggie
4 months ago

Wow Jason thanks for the heads up! I didn’t check that while trying to buy the keys, but every time I tried signing in it would just take me back to the page without signing in. I eventually did it all as a guest so I’m glad I did!

Deborah Kieffer
4 months ago

That’s just lovely. I know when I was finally able to log in, after being told my password was not recognized numerous times. I’ve used the same password and email for years & years. My name was Angie, instead of Deborah.

Bill
Bill
4 months ago

It’s possible that “Chris” is a test case they use when they don’t have valid input into that section of the website. It’s very unlikely that you were actually logged into another user’s account, unless you have more specific examples of another person’s personal information being exposed to you. I agree that ShopDisney needs major overhauls, though. The shopping experience on May 4th was horrendous.

Tom Corless
Admin
4 months ago
Reply to  Bill

I mean, we’re not posting the person’s address lol

Bill
Bill
4 months ago
Reply to  Tom Corless

I wouldn’t expect you to, but can you confirm or deny whether you checked if you indeed had any access to information you shouldn’t have? The article suggests that the author did not look at any personal information, so it’s possible that there was none there. “Chris” is a name that parks cast members use jokingly as a placeholder name, and it’s possible that the web developer used the same reference.

Tom Corless
Admin
4 months ago
Reply to  Bill

Other guests confirmed seeing the address.

Rachel
Rachel
4 months ago
Reply to  Bill

I got an email that said I logged in to my account in Washington….however, I live in Michigan…

Chris C
Chris C
4 months ago
Reply to  Bill

As a Chris who bought stuff that day, I don’t feel reassured that it could be a test name.

Lina Kirychuk
Lina Kirychuk
4 months ago

I was logged into “Chris’s” account as well after the page loaded for me. It took a few tries of refreshing the page before it would show my name and then I proceeded to order.

Moq
Moq
4 months ago

Just light the app on fire already

Tom Merchandiseless
Tom Merchandiseless
4 months ago

Is there any information or reports of this happening to people who weren’t in the virtual que? I know your specific experience was while in the que, but I’m trying to figure out if my account may have possibly been out there.

Also, did everyone become Chris or did everyone become someone random?

Brittney
Brittney
4 months ago

Today this security breach has finally affected me from my attempt to make a purchase on shopDisney on May 4th. ShopDisney is the only place I’ve used my card and had to enter my information in the past month and someone got my credit card information and made a $45 purchase on Amazon today (I don’t have an Amazon account) before I even woke up, thankfully my card notified me. Now I need a replacement card and have to update it on everything I use and won’t be able to have it for emergencies for possibly a week. I’m on… Read more »